SB2023072073 - Gentoo update for OpenSSH
Published: July 20, 2023 Updated: January 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Double Free (CVE-ID: CVE-2023-25136)
The vulnerability allows a remote attacker to potentially execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the sshd(8) daemon. A remote non-authenticated attacker can send specially crafted data to the application, trigger a double free error and execute arbitrary code on the target system.
The vendor believes exploitation of this vulnerability has limitations as double free occurs "in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms". Nevertheless we assign a high risk to this vulnerability.
2) Credentials management (CVE-ID: CVE-2023-28531)
The vulnerability allows a remote user to bypass implemented security restrictions.
the vulnerability exists due to a logic error in ssh-add when adding smartcard keys to ssh-agent with the per-hop destination constraints. As a result, the keys are added without constraints.
3) Untrusted search path (CVE-ID: CVE-2023-38408)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to usage of an insecure search path within the PKCS#11 feature in ssh-agent. A remote attacker can trick the victim into connecting to a malicious SSH server and execute arbitrary code on the system, if an agent is forwarded to an attacker-controlled system.
Note, this vulnerability exists due to incomplete fix for #VU2015 (CVE-2016-10009).
Remediation
Install update from vendor's website.